On Wed, Jun 3, 2015 at 8:43 AM, Stefan Eissing <stefan.eiss...@greenbytes.de > wrote:
> Hmm, personally, I do not like redundant configurations. If someone > configures a module, like mod_h2, to be enabled (H2Engine on), she could > expect the module to take all the necessary steps. So I am no fan of a > „SSLAlpnEnable“. > The reason boils down to vhosts and interop. If someone does not wish for a specific vhost (perhaps interacting with bad clients, or created for backwards compatibility) to respond with a feature, it is useful to have a fine-grained toggle. The default -could- be 'enabled', although this probably should not happen on the stable/maintenance branches, but simply on the future release branch, to avoid surprises. OpenSSL does the wrong thing in some cases with respect to TLS/SNI and my current patch development - in some respect - is backing out that callback change for customers who have been burned by this specific nonsense. You should reconsider absolutist behaviors, because they make it much harder for people to inject 'experimental' behaviors into specific hosts.
